commit 821ef85f0a0672d14bc6f913470a0d32aece57ff Author: Mike Date: Mon Jul 22 20:56:35 2024 +0300 . diff --git a/INSTALL.md b/INSTALL.md new file mode 100644 index 0000000..3ef211c --- /dev/null +++ b/INSTALL.md @@ -0,0 +1,80 @@ +``` +install crates-pijul, pijul id new, pil21 +clone pijul-tests manually, run braid.sh first time, del pijul-tests + +cat .profile +ulimit -s unlimited +ulimit -c unlimited +export TZ="Europe/Riga" +export EDITOR=micro +export PATH=$PATH:~/pil21:~/pijul/target/release:~/.cargo/bin +alias xup='sudo pacman -Syu' +alias mi='micro' +alias xup='sudo pacman -Syu' +alias g1='git commit -aqm . && git push -q' +alias pdb='pijul reset --force && pijul pull -a && cargo update && nice cargo build --release' +alias pi='pijul' +alias pin='pijul pull -a' +alias pir='pijul rec -am"."' +alias pis='pijul diff --short --untracked' +alias pre='pijul record -am"." && pijul push -a' + +apk add bash cronie, switch + +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/suite/pil21:/home/suite/pijul/target/release:/home/suite/.cargo/bin +0 4 * * * /home/suite/pijul-suite/start.l -main 1>/dev/null 2>&1 + +acme.sh --register-account -m tankf33der@disroot.org +acme.sh --issue -d pulsar.pb1n.de -w /var/www/localhost/htdocs --keylength ec-256 +acme.sh --install-cert -d pulsar.pb1n.de --key-file /etc/lighttpd/pulsar.key --fullchain-file /etc/lighttpd/pulsar.pem + +apk add opensmptd +rc-update add smptd +cat secrets +myrelay mpech@envs.net:qwerty123 +cat smtpd.conf +table aliases file:/etc/smtpd/aliases +table secrets file:/etc/smtpd/secrets +listen on lo +action "local" maildir alias +action "relay" relay host smtp+tls://myrelay@mail.envs.net:587 auth +match for local action "local" +match from local for any action "relay" + +server.bind = "0.0.0.0" +server.port = "80" +$SERVER["socket"] == "[::]:80" { } +server.document-root = "/var/www/localhost/htdocs" +server.username = "lighttpd" +server.groupname = "lighttpd" +server.pid-file = "/run/lighttpd.pid" +# accesslog.filename = "/var/log/lighttpd/access.log" +server.modules = ( + "mod_redirect", + "mod_dirlisting", + "mod_openssl", + "mod_setenv", + # "mod_accesslog" +) +dir-listing.activate = "enable" +dir-listing.set-footer = "lighttpd" + +url.redirect = ("^[^?]*/$" => "$0?C=M&O=A") + +$HTTP["scheme"] == "http" { + url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") +} + +ssl.privkey = "/etc/lighttpd/pulsar.key" +ssl.pemfile = "/etc/lighttpd/pulsar.pem" +$SERVER["socket"] == "*:443" {ssl.engine = "enable"} +$SERVER["socket"] == "[::]:443" {ssl.engine = "enable"} +var.response_header_policy = ( + "strict-transport-security" => "max-age=63072000; includeSubDomains; preload", + "x-frame-options" => "DENY", + "x-content-type-options" => "nosniff", + "x-xss-protection" => "1; mode=block", + "permissions-policy" => "interest-cohort=()" +) +setenv.set-response-header += var.response_header_policy +``` diff --git a/README.md b/README.md new file mode 100644 index 0000000..7ca29e5 --- /dev/null +++ b/README.md @@ -0,0 +1,14 @@ +### Welcome to PulsarCI +System can run [tests](https://git.envs.net/mpech/pijul-tests) automagically and send reports: +- [web](https://pulsar.pb1n.de/suite) +- email +- [mastodon](https://mastodon.social/@pijul_status) ([RSS](https://mastodon.social/@pijul_status.rss)) + +##### Highlights: +- written on greate and the only [PicoLisp](https://picolisp.com) programming language +- triggered by cron under reentrance protection +- identified by [latest](https://nest.pijul.com/pijul/pijul/changes) hash and run test once +- [example](https://pulsar.pb1n.de/EXAMPLE-OK.txt) of report (Apr 2024) +- on web latest [report](https://pulsar.pb1n.de/suite) is always on top of deck (sorted by date) + +Happy coding! diff --git a/UNLICENSE b/UNLICENSE new file mode 100644 index 0000000..68a49da --- /dev/null +++ b/UNLICENSE @@ -0,0 +1,24 @@ +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to diff --git a/sshaudit.cfg b/sshaudit.cfg new file mode 100644 index 0000000..5a7df80 --- /dev/null +++ b/sshaudit.cfg @@ -0,0 +1,33 @@ +# +# Custom policy based on ssh.pijul.com (created on 2024/05/26) +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Custom Policy (based on ssh.pijul.com on 2024/05/26)" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-thrussh_0.35.1" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib, zlib@openssh.com + +# Dictionary containing all host key and size information. Optionally contains the certificate authority's signature algorithm ('ca_key_type') and signature length ('ca_key_size'), if any. +host_key_sizes = {"rsa-sha2-256": {"hostkey_size": 0}, "ssh-rsa": {"hostkey_size": 0}, "rsa-sha2-512": {"hostkey_size": 0}, "ssh-ed25519": {"hostkey_size": 256}} + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519, rsa-sha2-256, rsa-sha2-512 + +# Host key types that may optionally appear. +#optional host keys = ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256@libssh.org, kex-strict-s-v00@openssh.com + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com + +# The MACs that must match exactly (order matters). +macs = none diff --git a/start.l b/start.l new file mode 100755 index 0000000..16cb389 --- /dev/null +++ b/start.l @@ -0,0 +1,105 @@ +#!/usr/bin/env pil +(de protection () + (let C 0 + (in '(pgrep -f start.l) + (while (line) + (inc 'C) ) ) + (when (>= C 2) (bye)) ) ) +(de ok (S) + (push '*Res (cons 0 S)) ) +(de fatal (S) + (nil (push '*Res (cons 1 S))) ) +(de connection () + (if (call 'bash '-c "ssh-audit -t30 -P/home/suite/pijul-suite/sshaudit.cfg ssh.pijul.com > /dev/null") + (ok "connect") + (throw 'exit) ) ) +(de pijul-tests () + (if + (and + (cd "/home/suite") + (call 'git 'clone '-q 'https://git.envs.net/mpech/pijul-tests) + (cd "/home/suite/pijul-tests") + (call 'bash 'braid.sh) ) + (ok "get tests") + (fatal "get tests") ) ) +(de getstate () + (if + (and + (cd "/home/suite/pijul") + (in '(bash -c "pijul log --hash-only | head -1") + (setq *Hash (pack (head 8 (line)))) ) ) + (ok "get state") + (fatal "get state") ) ) +(de clone () + (if + (and + (cd "/home/suite") + (call '/home/suite/.cargo/bin/pijul 'clone 'tankf33der@ssh.pijul.com:pijul/pijul) ) + (ok "clone") + (fatal "clone") ) ) +(de recompile () + (if + (and + (cd "/home/suite/pijul") + (call 'cargo 'update) + (call 'cargo 'build '--release) + (call '/home/suite/pijul/target/release/pijul '-V) ) + (ok "recompile") + (fatal "recompile") ) ) +(de suite () + (cd "/home/suite/pijul-tests") + (for File (sort (dir "./")) + (let (C (chop File) Task (pack (car (split C '.)))) + (when (match '`(chop "@.sh") C) + (if (call 'bash File) + (ok Task) + (fatal Task) ) ) ) ) ) +(de fin? () + (if (fully '((L) (=0 (car L))) *Res) + "-OK" + "-FATAL" ) ) +(de found? () + (t + (when (= *Hash (rc *RC 'last)) + (throw 'exit) ) ) ) +(de writelog () + (let + (Base (pack "/var/www/localhost/htdocs/suite/" *Hash) + File (pack Base (fin?) ".txt") + Fmt (25 10) ) + (call 'bash '-c (pack "rm -f " Base "*")) + (out File + (for L (reverse *Res) + (tab + Fmt + (cdr L) + (if (=0 (car L)) 'OK 'FATAL) ) ) ) ) ) +(de main NIL + (protection) + (setq *RC "~/.pil/suite") + (unless (info *RC) + (rc *RC 'last NIL) ) + # Global state are two vars + (let (*Res NIL *Hash "CONNECTION") + (catch 'exit + (and + (connection) # throw 'exit, protection for clone + (clone) + (getstate) + (found?) # throw 'exit, total silent stop + (recompile) + (pijul-tests) + (ok "---------") + # never fallthru + # always runs and collects all tests + (suite) ) + (writelog) + (mail "localhost" 25 "mpech@envs.net" (quote "tankf33der@disroot.org") (pack "pulsarCI: " *Hash (fin?))) + (when (= "-OK" (fin?)) + (rc *RC 'last *Hash) ) + (call 'toot 'post (pack "pulsarCI: " *Hash (fin?))) ) + + (call 'rm '-rf '/home/suite/pijul) + (call 'rm '-rf '/home/suite/pijul-tests) + (call 'rm '-rf '/home/suite/pijul-tests-data) ) + (bye) )